<html>
<head><meta charset="utf-8"><title>question comex · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html">question comex</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="163181218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181218">(Apr 12 2019 at 11:38)</a>:</h4>
<p><span class="user-mention" data-user-id="198590">@comex</span> i think you might be mixing things up</p>



<a name="163181232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181232">(Apr 12 2019 at 11:39)</a>:</h4>
<p>the point about array length has nothing to do with the rest of your comment</p>



<a name="163181299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181299">(Apr 12 2019 at 11:40)</a>:</h4>
<p>Rust already supports allocations that are larger than <code>isize::MAX</code>, e.g., on a 32-bit system you can allocate <code>isize::MAX as usize / 4 * 3</code> bytes of memory using the global allocator, and construct a slice <code>from_raw_parts</code> that points to that region of allocated memory</p>



<a name="163181325"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181325" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181325">(Apr 12 2019 at 11:41)</a>:</h4>
<p>That works fine</p>



<a name="163181401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181401">(Apr 12 2019 at 11:42)</a>:</h4>
<p>The only thing that can trigger UB in anything you mention is using <code>ptr.add</code> or <code>ptr.offset</code> such that a new pointer is computed that's more than <code>isize::MAX</code> bytes away from the source</p>



<a name="163181423"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181423" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181423">(Apr 12 2019 at 11:43)</a>:</h4>
<p>that can happen only for some combinations of <code>(T, offset)</code></p>



<a name="163181439"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181439" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181439">(Apr 12 2019 at 11:43)</a>:</h4>
<p>e.g. <code>[(); usize::MAX]</code> works just fine, and using <code>ptr.offset/add</code> with <code>usize::MAX</code>/<code>isize::MAX</code> works just fine too</p>



<a name="163181545"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181545" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181545">(Apr 12 2019 at 11:45)</a>:</h4>
<p>IIUC, you question is that code that assumes that a slice can only point to allocations with less than <code>isize::MAX</code> bytes might have undefined behavior on a different implementation, and its therefore not portable.</p>



<a name="163181562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181562">(Apr 12 2019 at 11:45)</a>:</h4>
<p>But that code is not portable today, in Rust, because that can already happen (e.g. the 32-bit example above)</p>



<a name="163181638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181638">(Apr 12 2019 at 11:46)</a>:</h4>
<p>Or maybe your question was that code assumes that slice.len is always smaller than <code>isize::MAX</code>, but that also does not hold in Rust today</p>



<a name="163181650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181650">(Apr 12 2019 at 11:47)</a>:</h4>
<blockquote>
<p>Rust already supports allocations that are larger than <code>isize::MAX</code>, e.g., on a 32-bit system you can allocate <code>isize::MAX as usize / 4 * 3</code> bytes of memory using the global allocator, and construct a slice <code>from_raw_parts</code> that points to that region of allocated memory</p>
</blockquote>
<p>While it's true that ZSTs enables arrays/slides/etc. with <em>length</em> larger than isize::MAX that don't correspond to an <em>allocation</em> larger than isize::MAX, for allocations that are larger than isize::MAX we have no support story and essentially 0% of Rust code supports such large allocations. Your particular example here (slice::from_raw_parts) is wrong: that function explicitly states that calling it for slices larger than isize::MAX bytes is UB, and it has to, because slicing and indexing uses <code>offset</code> internally.</p>



<a name="163181791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181791">(Apr 12 2019 at 11:49)</a>:</h4>
<p><span class="user-mention" data-user-id="124289">@rkruppe</span> indeed, that's required for safe indexing</p>



<a name="163181857"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181857" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181857">(Apr 12 2019 at 11:50)</a>:</h4>
<p>the question is then whether users can rely on that being the case</p>



<a name="163181881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181881">(Apr 12 2019 at 11:50)</a>:</h4>
<p>that's a pre-condition on <code>slice::from_raw_parts</code>, but does the <code>slice</code> type guarantee users that it holds ?<br>
AFAICT a new Rust version could remove the pre-condition in a backwards compatible way</p>



<a name="163181908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181908">(Apr 12 2019 at 11:51)</a>:</h4>
<p>Yes, that's an interesting question, but let's not get the background knowledge wrong while discussing it :p</p>



<a name="163181985"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163181985" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163181985">(Apr 12 2019 at 11:52)</a>:</h4>
<p>so what's the answer to @comex question ?</p>



<a name="163182018"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182018" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182018">(Apr 12 2019 at 11:52)</a>:</h4>
<p>I do not think we have any precedent that would allow us to answer definitely, so I gesture at the "own-rfc-worthy" label that's already on that issue</p>



<a name="163182031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182031">(Apr 12 2019 at 11:53)</a>:</h4>
<p>I think the text they quote does imply what they think it implies</p>



<a name="163182058"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182058" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182058">(Apr 12 2019 at 11:54)</a>:</h4>
<p>They claim the text implies that a Rust implementation could support slices larger than <code>isize::MAX</code></p>



<a name="163182112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182112">(Apr 12 2019 at 11:54)</a>:</h4>
<p>And AFAICT, that's the case, that could happen</p>



<a name="163182120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182120">(Apr 12 2019 at 11:54)</a>:</h4>
<p>guaranteeing that it cannot happen would require an RFC</p>



<a name="163182171"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182171" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182171">(Apr 12 2019 at 11:55)</a>:</h4>
<p>that does not have much to do with their question about the portability distiction between <code>ptr.add</code> and <code>ptr.offset</code></p>



<a name="163182355"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182355" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182355">(Apr 12 2019 at 11:58)</a>:</h4>
<p>ah, yes it does, from a portability pov to such implementations, their implementation using<code>ptr.add</code> works, while the one using <code>ptr.offset</code> is broken.</p>



<a name="163182356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182356">(Apr 12 2019 at 11:58)</a>:</h4>
<p>tbqh it seems we're all in agreement about what we want to document and comex's concern is just that this isn't expressed right/clearly enough in the current UCG? no need to language-lawyer about wording that we can just go and make less in need of lawyering</p>



<a name="163182396"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182396" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182396">(Apr 12 2019 at 11:59)</a>:</h4>
<p>i think <span class="user-mention" data-user-id="198590">@comex</span> concern is that we should deprecate <code>ptr.offset</code>, which is IMO the right thing to do if we want to allow future Rust implementations to support slice larger than <code>isize::MAX</code></p>



<a name="163182498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182498">(Apr 12 2019 at 12:00)</a>:</h4>
<p>We should only do that deprecation if we <em>actively decide</em> that is a future we want. But that is way outside the scope of the current discussion.</p>



<a name="163182521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182521">(Apr 12 2019 at 12:01)</a>:</h4>
<p>Right now we just don't decide either way about that, so we have no basis to deprecate, it's just another action item to attach to when we eventually address that question.</p>



<a name="163182620"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182620" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182620">(Apr 12 2019 at 12:02)</a>:</h4>
<p>So to be clear, I think the question "is &lt;example using <code>add</code>&gt; portable and &lt;example using <code>offset</code>&gt; nonportable" is currently answered not by yes or no, but "pending further decisions". which you can read as "no" if you want to be careful with the code you write, but it's no basis for going and deprecating stuff</p>



<a name="163182862"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182862" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182862">(Apr 12 2019 at 12:07)</a>:</h4>
<p><span class="user-mention" data-user-id="124289">@rkruppe</span> agree - in many other issues, we leave stuff out because we actively want to support some use cases, but that's not the case here. Here, we leave the limits out because going either way (supporting slices larger than isize::MAX or fixing the maximum slice size) would require an RFC. This is just an unspecified part of the language.</p>



<a name="163182945"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163182945" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163182945">(Apr 12 2019 at 12:09)</a>:</h4>
<p>Maybe we should just use <code>unspecified</code> instead of <code>implementation-defined</code>. Implementation-defined sounds like we encourage every implementation to do whatever they want.</p>



<a name="163183009"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163183009" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163183009">(Apr 12 2019 at 12:10)</a>:</h4>
<p>Leaving this as implementation-defined would also require an RFC.</p>



<a name="163183654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question%20comex/near/163183654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/question.20comex.html#163183654">(Apr 12 2019 at 12:20)</a>:</h4>
<p>yeah</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>